How to manage secrets

To add a (user) secret, run the add-secret command followed by a secret name and a (space-separated list of) key-value pair(s). This will return a secret ID. For example:

$ juju add-secret dbpassword foo=bar
secret:copp9vfmp25c77di8nm0

The command also allows you to specify the type of key, whether you want to supply its value from a file, whether you want to give it a label, etc.

See more: juju add-secret

To add a (user) secret on the controller specified in the juju provider definition, in your Terraform plan create a resource of the juju_secret type, specifying, at the very least, a model, the name of the secret, a values map and, optionally, an info field. For example:

resource "juju_secret" "my-secret" {
  model = juju_model.development.name
  name  = "my_secret_name"
  value = {
    key1 = "value1"
    key2 = "value2"
  }
  info = "<description of the secret>"
}

See more: juju_secret (resource)

To view all the (user and charm) secrets available in a model, run:

juju secrets

You can also add options to specify an output format, a model other than the current model, an owner, etc.

See more: juju secrets

The terraform juju client does not support this. Please use the juju client.

To drill down into a (user or charm) secret, run the show-secret command followed by the secret name or ID. For example:

juju show-secret 9m4e2mr0ui3e8a215n4g

You can also add options to specify the format, the revision, whether to reveal the value of a secret, etc.

See more: juju show-secret

The terraform juju client does not support this. Please use the juju client.

Given a charm that has a configuration option that allows it to be configured with a user secret, to grant the application deployed from it access to the secret, run the grant-secret command followed by the secret name or ID and by the name of the application. For example:

juju grant-secret dbpassword mysql

Note that this only gives the application permission to use the secret, so you must follow up by giving the application the secret itself, by setting its relevant secret-relation configuration option to the secret URI:

juju config <application> <option>=<secret URI>

See more: juju grant-secret

Given a model that contains both your (user) secret and the application(s) that you want to grant access to, to grant the application(s) access to the secret, in your Terraform plan create a resource of the juju_access_secret type, specifying the model, the secret ID, and the application(s) that you wish to grant access to. For example:

resource "juju_access_secret" "my-secret-access" {
  model = juju_model.development.name

  # Use the secret_id from your secret resource or data source.
  secret_id = juju_secret.my-secret.secret_id

  applications = [
    juju_application.app.name, juju_application.app2.name
  ]
}

See more: juju_access_secret (resource)

To update a (user) secret, run the update-secret command followed by the secret ID and the updated (space-separated list of) key-value pair(s). For example:

juju update-secret secret:9m4e2mr0ui3e8a215n4g token=34ae35facd4

See more: juju update-secret

To update a (user) secret, update its resource definition from your Terraform plan.

To remove all the revisions of a (user) secret, run the remove-secret command followed by the secret ID. For example:

juju remove-secret  secret:9m4e2mr0ui3e8a215n4g

The command also allows you to specify a model or to provide a specific revision to remove instead of the default all.

See more: juju remove-secret

To remove a secret, remove its resource definition from your Terraform plan.